Recovering Protectedand Encrypted NTFS Files

This article describes the process of recovery for files protected, encrypted or compressed with EFS (NTFS), and gives you hints on how to tackle possible problems.
NTFS has a lot of features not even imaginable in the older file system, FAT. Alternative data streams, user access permissions, on-the-fly compression and encryption are just a few things that are obvious to a computer user. Undeleting deleted files as well as recovering corrupted NTFS partitions presents more of a challenge to the designer of a data recovery tool than the older file system. Let’s deal with these issues one by one.

This is Part I of the article “Recovering Compressed, Protected and Encrypted NTFS Files” covering NTFS access control rights and on-the-fly encryption. The second part will discuss the ability to recover NTFS compressed files.

NTFS Access Control Rights

NTFS introduced a new feature allowing the operating system to control who can and who cannot access a given file, folder or disk. The feature uses file system attribute known as ACL (Access Control List) to allow or disallow certain activities such as the ability to read, write or create files, list the content of a folder, or change file permissions.

As many files belong to different users, including the operating system itself, strict obedience to permissions set in the access control list would restrict system administrators from being able to recover users’ files, or at least slow down the process significantly. For this reason, pretty much data recovery algorithm will ignore file access permissions by reading the disk directly, bypassing the high-level API of the file system. Effectively, NTFS access control lists are nothing to worry about when recovering information – if you have administrative rights on a given PC.

NTFS File Encryption

NTFS file encryption adds an extra layer of security. Not to be mistaken with access control rights, the encryption will actually alter the contents of the files, encrypting them with a strong encryption key derived from the user’s Windows account password.

NTFS encryption works differently compared to access control rights management. It is impossible and plain inefficient to recover such files in the direct disk access mode, even if their details are available in the MFT (Master File Table). While you can still read files “locked” with ACL attributes on another PC by simply changing or bypassing the attributes, encrypted files cannot be accessed as easily even if you have low-level access to the original disk. If you don’t know the exact password, you won’t be able to decrypt the content of encrypted files, which makes them effectively unusable. Note, however, that this only applies to situations when you are trying to recover somebody else’s files without knowing the original Windows account password. If you do know the password, you can read the encrypted files even on another PC.

Recovering NTFS Encrypted Files

NTFS-encrypted files must be accessed via Windows API’s, which basically means no low-level disk access in raw mode. The inability of data recovery tools to use raw disk access puts numerous restrictions on recoverability of NTFS-encrypted files. However, the recovery is still possible if you choose the right tool.

Tools and Limitations

Some of the more advanced NTFS recovery tools will correctly detect and process encrypted files – provided that the files were encrypted by the same Windows account you are logged in at the time of recovery, or at least if you know the original account password. The “how-to” tutorial on accessing NTFS-encrypted files from another PC is out of the scope of this article, so let’s just put a note that it is possible.

The recovery of NTFS-encrypted files carries certain restrictions and limitations, making the ability of a given tool to recover a given file under given circumstances a case-by-case issue.

NTFS volume recovery tools such as Hetman NTFS Recovery will be able to detect and recover encrypted files under certain conditions. Knowing the right password is essential, but it’s not enough. Hetman NTFS Recovery will need to use high-level Windows API’s to read encrypted files (as opposed to using direct disk access in raw mode). Thus the recovery of encrypted files will depend on whether or not Windows disk API is still able to read the file. For example, undeleting encrypted files located on a healthy disk is no different to undeleting any other type of file. Recovering NTFS-encrypted files from formatted NTFS disks is iffy, but generally still possible. If the file system is badly damaged, the chances of correctly recovering NTFS-encrypted files are much lower than those for non-encrypted ones. However, it’s always worth a try to see if your files in your situation are actually recoverable.

Related Post

When Software Can Help: SSD and HDDRead about must-have conditions to make recovering lost data possible - and most effective.
When experiencing a data loss situation, it is essential to be able to tell whether or not you can fix it yourself. Modern storage media is reliable enoug...

Recovering Information with Signature SearchRead this article to find out how signature search works in data recovery tools allowing you to save information even from formatted, damaged and inaccessible disks.
Signature search is a major data recovery technology that revolutionized the ent...

Practical Hints on Choosing Between FAT and NTFSRead this article to know how to choose a file system properly when formatting a storage device, and which file system is better for a hard disk, USB drive or memory card.
Enough theory! To learn more about the differences between file systems, re...

Choosing the Right File System: FAT and NTFSRead to find out what file system is better and when, and learn what devices are compatble with FAT or NTFS.
Windows offers the choice between two file system families: FAT and NTFS. When formatting new media, you can have a question as to which o...

Inside FAT: File SearchRead about peculiarities of data recovery from a FAT-formatted device.
In 2013, there are plenty of file systems around. There are FAT, NTFS, HFS and many other file systems used by the many different operating systems. And yet, the oldest and si...

Inside FAT: File RecoveryRead about the process of data recovery from a FAT disk and the algorithm used for file recovery.
Now when we found the file system, we can start analyzing its records. Our goal is identifying addresses of the physical sectors on the disk that con...

Inside NTFS: Files in the NTFS SystemIn this article, we’ll tell you how file recovery works with NTFS-formatted disks.
In our previous article we were discussing how data recovery tools are able to recover information. In that article we covered FAT, one of the two major file system...

Inside NTFS: File Recovery AlgorithmRead about data recovery procedure for NTFS disks and the algorithm used by file recovery apps.
Now when we covered most of the theory, we can proceed to actually recovering files. As you may remember from our previous article, FAT was never desig...